kemko/nomad
1
0
Fork 0
mirror of https://github.com/kemko/nomad.git synced 2026-01-02 00:15:43 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
facc3e8013fb5d2ef63474cda127dc6bb91155b4
nomad/command/agent/plugins_test.go
Tim Gross 3633ca0f8c auth: add client-only ACL (#18730) 
The RPC handlers expect to see `nil` ACL objects whenever ACLs are disabled. By
using `nil` as a sentinel value, we have the risk of nil pointer exceptions and
improper handling of `nil` when returned from our various auth methods that can
lead to privilege escalation bugs. This is the third in a series to eliminate
the use of `nil` ACLs as a sentinel value for when ACLs are disabled.

This patch involves creating a new "virtual" ACL object for checking permissions
on client operations and a matching `AuthenticateClientOnly` method for
client-only RPCs that can produce that ACL.

Unlike the server ACLs PR, this also includes a special case for "legacy" client
RPCs where the client was not previously sending the secret as it
should (leaning on mTLS only). Those client RPCs were fixed in Nomad 1.6.0, but
it'll take a while before we can guarantee they'll be present during upgrades.

Ref: https://github.com/hashicorp/nomad-enterprise/pull/1218
Ref: https://github.com/hashicorp/nomad/pull/18703
Ref: https://github.com/hashicorp/nomad/pull/18715
Ref: https://github.com/hashicorp/nomad/pull/16799
2023-10-12 12:21:48 -04:00

37 lines
777 B
Go
Raw Blame History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package agent
import (
"testing"
"github.com/hashicorp/nomad/api"
"github.com/shoenig/test/must"
)
func TestPlugins_WhenNotClientSkip(t *testing.T) {
s, _, _ := testServer(t, false, nil)
must.Nil(t, s.Agent.pluginSingletonLoader)
}
func TestPlugins_WhenClientRun(t *testing.T) {
s, _, _ := testServer(t, true, nil)
must.NotNil(t, s.Agent.pluginSingletonLoader)
}
func testServer(t *testing.T, runClient bool, cb func(*Config)) (*TestAgent, *api.Client, string) {
// Make a new test server
a := NewTestAgent(t, t.Name(), func(config *Config) {
config.Client.Enabled = runClient
if cb != nil {
cb(config)
}
})
t.Cleanup(a.Shutdown)
c := a.APIClient()
return a, c, a.HTTPAddr()
}
Reference in New Issue View Git Blame Copy Permalink